Tag Archive for FOI

FOI and the General Data Protection Regulation

FOIMan considers how the General Data Protection Regulation (GDPR) affects the Freedom of Information Act (FOI) and its administration.

Happy new year! 2018 is finally here and only a matter of months remain before the GDPR applies to anyone that processes personal data. You may have noticed that I’ve been fairly quiet online of late, and one reason for that is that I’ve been busy travelling the country delivering GDPR training to a range of organisations. Another reason will become clear in due course…

My first love is (when it comes to information rights anyway), of course, FOI. So given that I’ve been giving so much thought to GDPR, it made sense to think about how the new law affects FOI.

A few months ago I blogged briefly about an obscure schedule of the Data Protection Bill (hopefully soon to become the Data Protection Act 2018) that made amendments to FOI in order to ensure that the exemption for personal data will still work effectively with GDPR. It’s important that these changes happen otherwise there would be a conflict between FOI and the new data protection regime. Not making them could lead to personal data being disclosed when it shouldn’t be, or, as I indicated in my blogpost, to less information being disclosed than might have been in the past.

However, GDPR doesn’t just mean changes to other legislation. It means that any organisation processing personal data has to ensure that that processing meets its requirements. That includes public authorities.

What might be forgotten is that the handling of FOI requests invariably involves the processing of personal data. Some of that processing will be expected by applicants and will be easy to justify; some of it won’t be. When I gave a presentation about this to a group of practitioners in December, there were some audible gasps (of recognition primarily) as I listed some of the things that public authorities routinely do with personal data whilst processing FOI requests, but are often done without much thought. It’s not necessarily that those activities are wrong, you understand; but GDPR (if not the current Data Protection Act) requires all public authorities to give some thought to how they are justified. They’ll also need to ensure that they meet the other requirements of GDPR.

In my latest piece for PDP’s Freedom of Information Journal I’ve looked at the FOI amendments in the Data Protection Bill (at least as it stood in October when this piece was written). I’ve also examined how FOI requests are handled and what practitioners will want to be looking at to prepare for GDPR. A lot of the things I discuss will be relevant for other correspondence processes as well.

Have a read. I hope it gives you some food for thought at the start of what will be a very busy and interesting year.

A new FOI Code for Christmas

FOIMan takes a look at the government’s long-awaited draft FOI section 45 Code of Practice.

A long, long time ago, in a galaxy far, far away, before BREXIT, before the last General Election, you may recall that the Government, which was apparently led by some guy called Cameron, set up a Commission to make recommendations on FOI. If you’ve forgotten that, you almost certainly won’t remember that the government responded to the outcome of the Commission with a promise to update the s45 Code of Practice. The Code is required under (you’ve probably guessed) s.45 of the Act. The existing Code was written in 2004 (some bloke called Blair was in charge then, but nobody remembers him), and is, frankly, about as much use as a chocolate teapot (and rather less satisfying to consume).

Since March 2016, when the government made this promise, there have been wars and rumours of wars. In December 2016, the Information Commissioner reported at an FOI event that she’d heard a draft would be released in the new year. Notably, she didn’t indicate which one.

But now here we are. Last week, the Cabinet Office quietly published a new draft Code and consultation paper. So what does this new Code look like?

I’ve only had chance to quickly peruse it, but some observations. Overall, it is a welcome move to a practical guide for public authorities on fulfilling their FOI obligations. It actually addresses many of the crucial questions that arise for practitioners – it is helpful.

That said, there are a few things that leapt out at me.

The first section deals with the making of requests – what’s a valid request, how to carry out searches, that sort of thing. There is an attempt to define what should be treated as an FOI request which seems a missed opportunity. Apparently it is an FOI request unless it is asking for personal data, environmental information or “information given out as part of routine business”. Given that, as we’ll see, the Code calls for authorities to report on numbers of requests received, it would be useful for it to define more precisely which requests ought to be logged, monitored and reported on. I’m not convinced this definition is precise enough for that.

There is a degree of wish fulfilment on display. Information that has been deleted but remains on back-ups is not held, says the Code, in direct contradiction of multiple Tribunal decisions. Requests made in a foreign language will not be valid requests, it claims, which may be a practical reality for the most part (since it would be impossible to know whether or not it was a request in many circumstances), but it would be interesting to know what legal basis there is for this stark statement. (I may well have missed a relevant decision, so please do let me know if I have).

Sections 4 and 5 make clear (as per the Commission’s recommendations) that public interest extensions and internal reviews should normally be limited to 20 working days. Applicants’ complaints can be ignored if submitted later than 40 working days after the response is sent out. The section on internal reviews is particularly welcome given that the Act, of course, doesn’t require a review, so the Code is really the only way to establish a common approach.

There are some useful chapters on vexatious requests and the cost limit, effectively just articulating the approach taken by the Tribunals over the last few years, but nonetheless welcome.

The really interesting developments are in section 8, on publication schemes (no, really). The Code follows the Commission’s recommendations that public authorities with over 100 FTE employees should publish statistics on FOI compliance – numbers received, numbers answered in 20 days, numbers refused, numbers granted, and numbers of internal reviews. It recommends that these be published quarterly. It also calls for senior pay, expenses and “payments in kind” to be reported on.

The next section deals with the controversial matter of outsourced public services. It makes some sensible recommendations, though I doubt this will silence calls for companies delivering such services to be made subject to FOI.

Finally, the datasets Code, now of limited use since the arrival of the Re-use of Public Sector Information Regulations, is now subsumed within the main s45 Code.

The tone of the language in the Code I think does betray the Cabinet Office’s lack of enthusiasm for FOI. However, the approach taken isn’t entirely a bad thing – a clear no-nonsense guide like this is long overdue. One of the common criticisms of FOI is that it is too vague and unclear – this helps address that.

In any case, if you agree or disagree, now’s your chance to say so. The consultation on this draft is open until 2 February so if you have any views on the draft Code, make sure you submit them before then.

WhatDoTheyKnow About Refusing Requests?

FOIMan reviews refusal notices issued via the WhatDoTheyKnow.com website.

FOI is all about transparency. Most of the time that is demonstrated by disclosing requested information. On occasion though, public authorities have to refuse requests, and where this is the case, transparency should extend to the reasons why the requested information cannot be disclosed.

The Act itself (and the Environmental Information Regulations as well) sets out the requirement to issue a notice explaining the refusal and what must be included in it. Not surprisingly, the Information Commissioner has provided guidance over the years on how this obligation ought to be met as well.

Public authorities should therefore have a pretty clear idea of what to tell applicants when they refuse requests. Well, perhaps…

In my latest article for PDP’s FOI Journal, I examine 250 responses to requests made via the WhatDoTheyKnow.com website. Unfortunately I find that many responses leave a lot to be desired. You can read the article here.

Local Authority Meetings & Secrecy

FOIMan clarifies the relationship between FOI and local authority meeting rules.

Following the awful tragedy that unfolded at Grenfell Tower, there have been a lot of questions asked of the local council, the Royal Borough of Kensington and Chelsea (RBKC). Yesterday (29 June 2017) the council held a Cabinet meeting which began and ended in controversial circumstances. I was subsequently asked by a follower on Twitter about the relationship between FOI and attendance at council meetings.

The short answer is that there is none. FOI gives a right of access to information held by public authorities. It doesn’t regulate access to meetings.

The longer and more helpful answer is that FOI forms part of a range of legal requirements that ensure that local authorities like RBKC are accountable. I’ve written previously about transparency rules in local government. In relation to meetings of the RBKC cabinet, the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012 are, I believe, the relevant rules. I won’t go into whether RBKC were entitled to exclude the media from the meeting in this case as a) I don’t claim to be an expert in this area, and b) it’s already been dealt with by a legal ruling which ruled that the Press had to be admitted. But if you’re interested in what the rules are, the regulations I mention above may be of interest to you.

From my point of view, one of the most interesting issues is that RBKC are the latest organisation to discover that the perception of secrecy can be just as damaging, if not more so, as the revelation of embarrassing information (interestingly a theme explored by Dr Ben Worthy in his recent book on The Politics of FOI, which I thoroughly recommend). As one MP in their maiden speech said:

The public has the right…to know what its elected representatives are doing…Publicity is the greatest and most effective check against any arbitrary action.

The MP was Margaret Thatcher, and she said this in 1960 in support of a Bill to allow the Press to attend council meetings.

(HT to Alan Travis of The Guardian – @alantravis40 – for providing the quote above from Hansard in a Tweet yesterday)

Same thing, different gravy? The EIRs Part II

FOIMan examines the similarities and differences between FOIA and the Environmental Information Regulations.

A few months ago I started a series in PDP’s Freedom of Information Journal on the Environmental Information Regulations (EIRs), starting with an examination of the definition of environmental information. Here I bring you the second instalment in the series which looks at how FOIA and the EIRs differ.

I’ve just written the third and final part in the series which covers the exceptions in the EIRs. You’ll be able to read that in the next issue of the journal or right here on the FOIMan site later in the summer. Once they’re all available, I’ll put them all in one place in the Resources section so they will act as a comprehensive guide to the EIRs.